If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Who knows the 224.0.0.22?

Hi To All!

I've used Sygate Personal Firewall for a long time. I've got a question from it regularly, to allow
programs to connect to the following IP: 224.0.0.22. The programs is different the address is the same.
The asking programs are : PAINT.EXE; Freecell.exe and more uninteresting randomly selected
programs.
I've tried to ask the Sygate Technologies INC. about it more times . They registered my inquiring but didnt answer.

I'd made a few unsuccessful attemp to find out what makes this. Im using 2 active antivirus
programs (F-secure and Panda ) , anti spy (Spybot) . I have hardware and software firewalls.

So, what da HELL IS IT?!!!!! Im frustrated a bit.

PS:
Recently I was at my friend. He is using the Sygate too. After his comp booted I saw the Sygate asked to allow PAINT.exe to connect to the 224.0.0.22.!!!!!!!!

2.
for further information check the thread[3]
which I found by putting "224.0.0.22" in the forum search engine of AO.

3.
Just came to my mind: If I remember correctly, Paint and Freecell are programs,
which are capable to "serve" several users at the same time, e.g. several persons
on your LAN on different machines can work on the same picture. That's why Paint
tries to establish such connections.

Maybe you are a bit paranoid
Anyway, you might just block and forget it. Usually, a home-user
does not need it.

Simplified, the MAC address is quite irrelevant on a TCP/IP driven network.
However, that MAC address is reserved for IP Multicast, in particular the
whole range 01-00-5E-00-00-00 to 01-00-5E-7F-FF-FF,
ie it is indeed a good point, that the Destination MAC address is given as it is.

A good read [1].

Mapping IP Multicast to MAC-Layer Multicast
To support IP multicasting, the Internet authorities have reserved the multicast address range of 01-00-5E-00-00-00 to 01-00-5E-7F-FF-FF for Ethernet and Fiber Distributed Data Interface (FDDI) media access control (MAC) addresses. To map an IP multicast address to a MAC-layer multicast address, the low order 23 bits of the IP multicast address are mapped directly to the low order 23 bits in the MAC-layer multicast address. Because the first 4 bits of an IP multicast address are fixed according to the class D convention, there are 5 bits in the IP multicast address that do not map to the MAC-layer multicast address. Therefore, it is possible for a host to receive MAC-layer multicast packets for groups to which it does not belong. However, these packets are dropped by IP once the destination IP address is determined.

For example, the multicast address 224.192.16.1 becomes 01-00-5E-40-10-01. To use the 23 low order bits, the first octet is not used, and only the last 7 bits of the second octet is used. The third and fourth octets are converted directly to hexadecimal numbers. The second octet, 192 in binary is 11000000. If you drop the high order bit, it becomes 1000000 or 64 (in decimal), or 0x40 (in hexadecimal). For the next octet, 16 in hexadecimal is 0x10. For the last octet, 1 in hexadecimal is 0x01. Therefore, the MAC address corresponding to 224.192.16.1 becomes 01-00-5E-40-10-01.

Token Ring uses this same method for MAC-layer multicast addressing. However, many Token Ring network adapters do not support it. Therefore, by default, the functional address 0xC0-00-00-04-00-00 is used for all IP multicast traffic sent over Token Ring networks. For more information about Token Ring support for IP multicasting, see RFC 1469.

• 224.0.0.0/24 is the link-local scope region. Traffic sent to these addresses is only
transmitted over a single link. This is used for control traffic, for example that from
multicast routing protocols.

Perhaps it is a multicast address, but it was addressing a single physical (MAC) address.
Would it be an atempt to establish a per to peer contact?

Since we did not get an accurate description of the filename,
I assumed %SystemRoot%\System32\mspaint.exe and
%SystemRoot%\System32\freecell.exe, which are legitimate
Windows XP programs and might show the above described behaviour.

Malware would not try to connect to multicast addresses
using the corresponding MAC address and setting TTL=1,
I guess.

Anyway, cacosapo, since you raised that issue, it might be worth
to check carefully the validity of these executables (ie exact name,
coordinates and compare MD5-hashes).

Cheers.

If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)

- freecell.exe --&gt; http://securityresponse.symantec.com...llw.astef.html
since i have freecell and it NEVER tried to go to network im assuming this is a malware
- paint.exe --&gt; isnt it MSpaint.exe? and how it goes to network? its a malware to me.
- doing multicast is an excellent way to infect a lan. Im still digging about those to find more info.

Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson

I learned, it is better to assume the worst case
instead of relying on "old" known stuff.

If anyone can provide me/us with information
about malware using multicast to penetrate a LAN,
that'll be great. Thanks cacosapo for pointing
this out.
I usually read the distribution methods on the
virii/worms description pages, but didn't stumble
across multicasting there.

damage2, I am very interested of what you find.
I apologize for having been too incautious.

Cheers

If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)